Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Ashton of Hyde
Main Page: Lord Ashton of Hyde (Non-affiliated - Excepted Hereditary)Department Debates - View all Lord Ashton of Hyde's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Lord Ashton of Hyde Excerpts(6 years, 7 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Lester of Herne Hill (LD)
My Lords, I want to raise an issue which I would be grateful if it were thought about, although I would not dream of asking the Minister to give an informed reply today. I am puzzled especially by Amendment 37, spoken to by the noble Lord, Lord Griffiths, because I spent a good deal of my time developing the Equality Act 2010 and we were very concerned when doing so about issues of personal privacy and enforceability.
Obviously, one size does not fit all when it comes to equal opportunity and treatment. It is fairly easy to operate a policy measuring ethnicity, for example, without any problem about privacy; it is pretty easy to do so in respect of gender, although gender does not at the moment figure in the list for some reason, but it becomes terribly difficult when one is dealing with sexuality, religion or philosophical belief, which are for some reason in the list at the moment. I would be grateful if the Minister could reflect with people from the Government Equalities Office on whether this is an example of overlegislation, which it would be much better to prune down.
I am all in favour of affirmative action to promote equality between the sexes or people of different ethnicity, but when it comes to religion, philosophical belief and the other matters that are either there at the moment or would be there under Amendment 37, I get very worried. For example, I once represented the Church of Scientology—successfully—in establishing that scientology is a religion. I would not like these provisions to be the source of conflict and division between one kind of religion and another, or one kind of no religion and humanists, and so on. I think it is an example of overlegislation and underlegislation, and needs to be sorted.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have participated. I am especially grateful for the clear way in which the noble Lord, Lord Griffiths, outlined the case for all his amendments. He could have chosen an easier Bill to start on, I must say, but he did it very well. I am grateful for the opportunity to set out the purpose of various conditions included in Schedule 1, this time specifically with reference to Part 2.
As we have already discussed, for “special categories of data” to be processed lawfully, controllers must demonstrate that their processing meets one of the processing conditions set out in article 9 of the GDPR. We have already touched on several of these. Here we turn to processing which is,
“necessary for reasons of substantial public interest”.
Clause 9 requires that controllers wishing to rely on this processing condition must meet one of the conditions set out in Part 2 of Schedule 1.
Paragraph 7 of Schedule 1 allows processing of certain specified special categories of personal data for the purpose of promoting equality of opportunity. Amendment 37 seeks to expand this condition to permit the processing of additional categories of personal data. This is unnecessary because the categories of data referred to in the amendment are either not considered by the GDPR framework to be special categories of data in the first place or covered by the categories already listed in paragraph 7 of Schedule 1; for example, “Personal data revealing age” need not be listed because it is not subject to additional protection to begin with.
The Government accept that the existing special categories of data are broad and in some circumstances will overlap with the categories of data suggested in the amendment; for example,
“Personal data revealing a disability”,
will fall within the special category of “Data concerning health”. But in these cases, paragraph 7 already permits the processing of such data for equality-monitoring purposes. I will read carefully the remarks of the noble Lord, Lord Lester. I suspect his point is to do with what is and what is not a special category of data, but I will read Hansard and write to him, and copy other noble Lords. I thank him for not requiring a considered answer tonight.
Amendments 38 and 39 address the condition in paragraph 8 which permits the processing of data where this is,
“necessary for the purposes of the prevention or detection of an unlawful act”.
Amendment 38 would make it clear that the condition was available only if the unlawful act in question was “serious”. I can understand the rationale behind the amendment but the Government consider that it might nevertheless be in the substantial public interest for an organisation to process data for the prevention or detection of an unlawful act that was not obviously “serious”. An offence such as driving without a licence or insurance may not be the most serious in terms of the maximum penalty available, but it could still be in the substantial public interest for it to be reported by the data controller. Paragraph 8 ensures that data controllers are empowered to make that call and be accountable for their decision.
Amendment 39 would make the condition available only,
“under circumstances in which it is reasonably clear that a data subject is unlikely to give consent”.
While similar provision is made in other conditions where required, the Government consider that it would not be appropriate in this case, given that the purpose is to process data in circumstances where seeking consent risks prejudicing the prevention or detection of an unlawful act.
Amendment 40 would remove the word “dishonesty” from paragraph 9(2)(a) so that an organisation could rely on this provision only if it were processing sensitive categories of personal data to protect the public from malpractice, other seriously improper conduct or the other listed behaviours. The Government consider that there might be situations where an organisation would also need to process data to protect the public from dishonesty that does not necessarily amount to malpractice or improper conduct. It is therefore right that the paragraph covers the full gamut. This processing condition is not new; a similarly worded provision already exists under the current Data Protection Act.
The noble Lord, Lord Griffiths, suggested that there was a need for a further definition of “dishonesty”. I am afraid we do not agree. The word has a plain English meaning, defined in the dictionary. Furthermore, to define it here would cause confusion as it is used throughout UK legislation.
Amendment 41 would extend the scope of the same processing condition so that it could also be used to protect bodies and associations, rather than just the general public, from dishonesty, malpractice and improper conduct. It is one thing to allow the processing of an individual’s personal data for the purposes of protecting the general public—that is, other individuals; there is a neat symmetry there—but quite another to suggest that it could be processed to protect organisations from reputational harm. On that basis, I cannot agree to include it.
Amendments 43 and 44 address the processing condition in paragraph 12 which allows organisations such as banks to make disclosures “in good faith” under the Terrorism Act 2000 and the Proceeds of Crime Act 2002 about third parties who are suspected of terrorist-financing offences or money laundering. This processing condition is intended to protect organisations that disclose data on the basis of a genuine suspicion, even if it turns out later not to have been well founded. Noble Lords will recall that this condition was debated and agreed to as part of the Criminal Finances Bill earlier this year. The condition is tied to the improvement of a specific statutory regime—known as the suspicious activity reports regime—and is designed to give legal clarity to encourage the sharing of information to prevent serious crime and terrorism. I know there are some in the financial sector who have suggested that these provisions should go further to permit screening by private companies for the purposes of checking against non-UK laws on terrorist financing and money laundering. As noble Lords may be aware, the relevant provisions in the Criminal Finances Act were commenced only at the end of last month. We are not convinced that there is a need to amend them at such an early stage.
Amendment 45 would amend the processing condition relating to,
“confidential counselling, advice or support”,
in paragraph 13. It would add “guidance” to the list of processing activities which are permitted under this provision. This paragraph is not new; the relevant wording is drawn directly from existing legislation. But I am happy to put on the record the Government’s view that guidance is already covered by this provision and thus there is no need to amend it.
Amendments 45A and 64 in the name of my noble friend Lady Neville-Jones seek to clarify the legal status of processing by patient support groups. The Government strongly support the varied and important work of patient support groups and I am grateful for my noble friend’s time in meeting me recently. It is important to reiterate that groups such as Unique will have access to a number of provisions already in the Bill, even in cases where consent cannot be obtained, or reobtained, from the data subject.
We discussed the provisions for scientific research last week. In addition, paragraph 13 of Schedule 1 makes provision for confidential counselling, advice and support. Taken together, the provisions I have mentioned—for consent, scientific research, and confidential counselling, advice and support—seem to cover a great deal of the vital work undertaken by patient support groups. But the Government retain an open mind on this and I will read my noble friend’s contribution in Hansard carefully.
Lord Ashton of Hyde
I agree. I have the same. You have to put in your numerical password every so often just to check that you have still got the same finger. Technically, you might not have.
The amendments also seek to permit the processing of such data when biometric identification devices are installed by employers to allow employees to gain access to work premises or when the controller is using the data for internal purposes to improve ID verification mechanisms. I am grateful to the noble Lord for raising this important issue because the use of biometric verification devices is likely only to increase in the coming years. At the moment, our initial view is that, given the current range of processing conditions provided in Schedule 1 to the Bill, no further provision is needed to facilitate the activities to which the noble Lord referred. However, this is a technical issue and so I am happy to write to the noble Lord to set out our reasoning on that point. Of course, this may not be the case in relation to the application of future technology, and we have already discussed the need for delegated powers in the Bill to ensure that the law can keep pace. I think we will discuss that again in a later group.
On this basis, I hope I have tackled the noble Lord’s concerns, and I would be grateful if he will withdraw the amendment.
Lord Clement-Jones
My Lords, as usual the noble Lord, Lord Maxton, has put his finger on the problem. If we have iris recognition, he will keep his eye on the matter.
I thank the Minister for his explanation of the multifarious amendments and welcome the maiden speech from the Front Bench by the noble Lord, Lord Griffiths. I do not think I can better my noble friend Lord McNally’s description of his ascent to greatness in this matter. I suspect that in essence it means that the noble Lord, Lord Griffiths, like me, picks up all the worst technical amendments which are the most difficult to explain in a short speech.
I thought the Minister rather short-changed some of the amendments, but I will rely on Hansard at a later date, and I am sure the Opposition Front Bench will do the same when we come to it. The particular area where he was disappointing was on what you might call the Thomson Reuters perspective, and I am sure that we will want to examine very carefully what the Minister had to say because it could be of considerable significance if there is no suitable exemption to allow that kind of fraud prevention to take place. Although he said he had an open mind, I was rather surprised by his approach to Amendments 45A and 64 which were tabled by the noble Baroness, Lady Neville-Jones. One will have to unpick carefully what he said.
The bulk of what I want to respond to is what the Minister said about biometrics. I took quite a lot of comfort from what he said because he did not start quoting chapter and verse at me, which I think means that nobody has quite yet worked out where this biometric data fits and where there might be suitable exemptions. There is a general feeling that somewhere in the Bill or the schedules we will find something that will cover it. I think that may be an overoptimistic view, but I look forward to receiving the Minister’s letter. In the meantime, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am grateful to noble Lords who have spoken and for the opportunity to set out the purposes of various conditions included in Part 1 of Schedule 1.
It is worth recalling that, in order for special categories of data to be processed lawfully, controllers must demonstrate that their processing meets one of a defined list of processing conditions set out in article 9 of the GDPR. Many controllers will meet this requirement by seeking the explicit consent of the data subject but the reality is there will be circumstances where it would not be appropriate, or indeed possible, for a controller to seek consent. In these cases, alternative conditions include processing which is necessary for the purposes of employment and social security; for the provision of health or social care; for public health; and for archiving and research. But for UK controllers to take advantage of these particular processing conditions, the UK must make suitable provision in UK law. That is what the conditions set out in Part 1 of Schedule 1 seek to do.
Paragraph 1 of that schedule, referenced in Amendment 25, refers to the processing of sensitive personal data where necessary for exercising obligations under employment law, social security law or the law relating to social protection. This is a specific category under article 9(2)(b) of the GDPR, and paragraph 1 gives it legislative effect.
It is true that the 1998 Act did not refer to social security and social protection law, but the GDPR gives them specific emphasis in recognition of the reality that processing of special categories of data may be necessary for the purposes of calculating social security benefits or arranging interventions by social services when people are in need of support. In practice, it may not be possible to obtain consent to every measure or decision which is taken about a person when arranging benefit payments or care provisions. Amendment 25 would remove paragraph 1(1)(a) from Schedule 1, making this clause ineffective and closing off a potentially valuable processing condition to social services and other care providers.
The noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, suggested in Amendment 25A that “under” employment law should be replaced with “in connection with” employment law. I appreciate the sentiment behind the amendment, which is to ensure that the provision does not operate too restrictively. However, the Government are satisfied the term is sufficiently broad to cover processing that would have been permitted for these purposes under the Data Protection Act, while operating within the limits of the derogation provided for by the GDPR. The new condition, which permits processing that is,
“necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law”,
would have the same meaning as the Data Protection Act wording, which referred to, processing necessary for the purposes of,
“exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment”.
I therefore hope the noble Lords will accept my reassurances in that regard.
The Earl of Kinnoull
I raise a simple point—that pretty big businesses look after the employment law insurance issues, and they are so incredibly important that they are often compulsory types of insurance because we feel that every business should have them. These huge businesses will have massive change in the way this operates because there is this change. We have just heard that it is not a change, but I hope that the Minister will accept that the insurance businesses—I had a sensitive briefing from the ABI—are worried about that. Accordingly, will he at least be prepared to have a meeting to go through that, otherwise there will be a lot of expense, fuss and bother and maybe some unintended damage to the process of an important type of insurance?
Lord Ashton of Hyde
I said that we believe that the term is sufficiently broad to cover processing that would have been permitted hitherto, which the noble Earl refers to. However, of course, if we have got it wrong and if the insurance industry has a point it wants to bring up, it would be sensible, and I would be delighted, to meet him and the industry to discuss that. As I said before, we have an open mind, so I will certainly do that.
On the provisions in paragraphs 2 and 3 of Schedule 1 on health and social care, and public health, respectively, which are the focus of Amendments 27 to 29, it is fair to say that the drafting here has moved on slightly from the approach taken in Schedule 3 to the 1998 Act. However, article 9(2)(h) of the GDPR refers specifically to processing which is necessary for,
“the assessment of the working capacity of an employee”,
and,
“the management of health … care systems”.
Article 9(2)(i) refers specifically to processing which is,
“necessary for reasons of public interest in the area of public health”.
The purpose of paragraphs 2 and 3 of Schedule 1 is to give these GDPR provisions legislative effect. To remove these terms from the clause by virtue of Amendments 27 to 29 would mean that healthcare providers might have no lawful basis to process special categories of data for such purposes after 25 May. I am sure that noble Lords would agree that that would be unwelcome.
The noble Lord, Lord Kennedy, asked some questions on paragraph 2 and asked for an example of data processed under paragraph 2(b). An example would be occupational health. The wording of paragraph 2(2)(f) of Schedule 1 is imported from article 9(2)(h), and I refer the noble Lord—I am sure that he has remembered it—to the exposition given in recital 53.
Paragraph 4—the focus of Amendments 32 to 34—provides for the processing of special categories of data for purposes relating to archiving and research. The outcome of these amendments would be to name specific areas of research and types of records. The terms “scientific research” and “archiving” cover a wide range of activities. Recital 157 to the GDPR specifically refers to “social science” in the context of scientific research, and recital 159 makes it clear that,
“scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.
The Government are not aware of anything in the GDPR or the Bill which casts doubt on the application of these terms to social science research or digital archiving.
Finally, on the important issue of confidentiality, Amendments 31 and 70 are unnecessary, because all health professionals are subject to the common-law duty of confidentiality. The duty is generally understood to mean that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. However, beyond relying on the common-law duty of confidentiality, health professionals and social work professionals are bound by the requirements in their employee contract to uphold rules on confidentiality, whether that information is held on paper, computer, visually or audio recorded, or even held in the memory of the professional. Health professionals and social work professionals as defined in Clause 183 are all regulated professionals.
I can therefore reassure the noble Lord, Lord Kakkar—I am also grateful to the noble Lord, Lord Lester, for his support with regard to the Human Rights Act—that the Government strongly agree on the importance of the common-law duty of medical confidentiality but also recognise that it is not absolute. For example, there already are, and will continue to be, instances where disclosure of personal data by a medical professional is necessary for important public interest purposes, such as certain crime prevention purposes or pursuant to a court order. I therefore cannot agree to Amendment 108A, although, as we have already said, the Government are committed to looking at the issue of delegated powers in the round. I will certainly include that in that discussion. Therefore, with that reassurance, I ask the noble Lord to withdraw his amendment.
Lord Lucas
My Lords, might I beg a meeting of the Minister to discuss the matter of suicidal students at university and how that will be handled under the new legislation as it is developed? This need not necessarily fit within the timescale of the Bill, but I would very much like to be able to understand policy on it and to involve universities in moving from the current unsatisfactory position.
Lord Ashton of Hyde
It is always a pleasure to meet my noble friend, and I am happy to do that.
Lord Kennedy of Southwark
My Lords, I thank all noble Lords who have spoken in the debate this evening. We have touched on a number of important topics, which I hope the noble Lord, Lord Ashton of Hyde, will reflect on as we move through the Bill and look at these issues again. I make it clear that my amendments were all probing amendments to get from the Government their position on things. I was particularly pleased that the noble Earl, Lord Kinnoull, raised the issue about the insurance industry and that the Minister will meet him and representatives of the industry.
I noticed when the Minister replied to the debate that on more than one occasion he made references to recitals. He, I and the House know that the recitals will not form part of British law, so to keep relying on them is, I contend, a little weak on the Government’s part. They will have to find something a bit stronger and more solid as we move on, because, as I said, these will not form part of British law. That is an important point for the Minister to think of when he responds to amendments. For him to keep relying on them highlights the position the Government are in, which is not very good at the moment. Having said that, I beg leave to withdraw the amendment.